Hackers have developed a bootkit called BlackLotus that’s capable of bypassing the built-in security protections in Windows 11 to install malware and take full control of vulnerable PCs.
First discovered back in October of last year, BlackLotus is a Unified Extensible Firmware Interface (UEFI) firmware rootkit that can be used to create backdoors on Windows machines. Like with other types of malware, it’s sold on the dark web for the initial price of $5,000 with upgrades to new versions costing $200.
What makes BlackLotus and other UEFI bootkits particularly dangerous is the fact that they’re deployed in a Windows PC’s firmware and give hackers full control over how the operating system boots. According to The Hacker News (opens in new tab), this lets hackers disable security mechanisms built into the operating system and deploy payloads with high privileges.
Now though, a new report (opens in new tab) from ESET has shed light on BlackLotus’ ability to bypass UEFI Secure Boot on fully updated Windows 11 systems.
Not just regular malware
During its investigation into the matter, ESET uncovered six different BlackLotus installers after finding code patterns in samples brought to the cybersecurity firm. This led its researchers to the realization that BlackLotus isn’t just regular malware.
Besides running on systems with UEFI Secure Boot enabled, the bootkit can even disable built-in security mechanisms in Windows including BitLocker, HVCI and even Windows Defender. BlackLotus also leaves a kernel driver and an HTTP downloader on infected systems which allows it to communicate with a command and control (C&C) server to retrieve additional malware.
While updating to the latest version of an operating system can usually keep you protected, this bootkit exploits a vulnerability tracked as CVE-2022-21894 (opens in new tab) which has already been fixed. However, as vulnerable UEFI binaries still haven’t been revoked, BlackLotus can “stealthily operate on systems with UEFI Secure Boot enabled” according to ESET.
Should you be worried about BlackLotus?
BlackLotus is certainly dangerous and a threat to the best computers running Windows 11. However, a bootkit that costs $5,000 will likely be used for espionage by nation-state hackers or cybercriminals trying to gather information on their next big target.
Ordinary hackers already have plenty of tools in their arsenal that they use against consumers like malicious apps and phishing emails while BlackLotus will likely be used to target enterprise customers and quite possibly even governments.
Still, if you are concerned, it’s always a good idea to update your computer and especially your browser to make sure you’re running the latest software. Likewise, the best antivirus software can help keep you protected from a majority of cyber threats while the best identity theft protection can help you recover from having your identity stolen and any financial losses you may have suffered as a result.
Microsoft and PC makers are well aware of the threat that a bootkit like BlackLotus can do which is why the vulnerable UEFI binaries it exploits will likely be revoked soon.